LocalhostListener

    This check is primarily added to detect workloads on older Istio versions that may break when upgrading to Istio 1.10 or later. This behavior matches what would occur in a standard Kubernetes cluster without Istio, but older versions of Istio exposed these ports.

    Consider a Service, selecting a Pod running the command nc localhost 8080 -l:

    The above example shows using the simple nc tool. Some equivalent examples in other languages:

    • Go: net.Listen("tcp", "localhost:8080")
    • Node.js:
    • Python: socket.socket().bind(("localhost", 8083))

    How to resolve

    If you do want to expose the application to other pods, there are two options:

    • Modify the application to bind to a network interface exposed to other pods. Typically, this means binding to 0.0.0.0 or ::, such as nc 0.0.0.0 8080 -l.
    1. apiVersion: networking.istio.io/v1beta1
    2. kind: Sidecar
    3. metadata:
    5. spec:
    6.   workloadSelector:
    7.       app: netcat
    8.   ingress:
    9.   - port:
    10.       number: 8080
    11.       protocol: TCP